{{- $context := . }}
{{- range $crd := $context.Values.ingressNginx.internal.ingressControllers }}
{{- $crdChecksum := toJson $crd | sha256sum }}
  {{- if eq $crd.spec.inlet "HostWithFailover" }}
    {{- if ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
---
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  name: proxy-{{ $crd.name }}-failover
  namespace: d8-ingress-nginx
  {{- include "helm_lib_module_labels" (list $context (dict "app" "proxy-failover" "name" $crd.name)) | nindent 2 }}
spec:
  targetRef:
    apiVersion: "apps.kruise.io/v1alpha1"
    kind: DaemonSet
    name: proxy-{{ $crd.name }}-failover
  updatePolicy:
    updateMode: "Off"
    {{- end }}
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: proxy-{{ $crd.name }}-failover
  namespace: d8-ingress-nginx
  {{- include "helm_lib_module_labels" (list $context (dict "app" "proxy-failover" "name" $crd.name "init" (now | date "20060102150405"))) | nindent 2 }}
spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      app: proxy-failover
      name: {{ $crd.name }}
---
apiVersion: apps.kruise.io/v1alpha1
kind: DaemonSet
metadata:
  name: proxy-{{ $crd.name }}-failover
  namespace: d8-ingress-nginx
  {{- include "helm_lib_module_labels" (list $context (dict "app" "proxy-failover" "name" $crd.name)) | nindent 2 }}
  annotations:
    ingress-nginx-controller.deckhouse.io/checksum: {{ $crdChecksum }}
spec:
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
      maxSurge: 0
  selector:
    matchLabels:
      app: proxy-failover
      name: {{ $crd.name }}
  template:
    metadata:
      labels:
        app: proxy-failover
        name: {{ $crd.name }}
    spec:
  {{- if $crd.spec.nodeSelector }}
      nodeSelector:
        {{- $crd.spec.nodeSelector | toYaml | nindent 8 }}
  {{- else }}
      {{- include "helm_lib_node_selector" (tuple $context "frontend") | nindent 6 }}
  {{- end }}
  {{- if $crd.spec.tolerations }}
      tolerations:
      {{- $crd.spec.tolerations | toYaml | nindent 6 }}
  {{- else }}
      {{- include "helm_lib_tolerations" (tuple $context "frontend") | nindent 6 }}
  {{- end }}
      {{- include "helm_lib_priority_class" (tuple $context "system-cluster-critical") | nindent 6 }}
      serviceAccountName: ingress-nginx
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      terminationGracePeriodSeconds: 300
      volumes:
        - name: additional-config
          configMap:
            name: proxy-{{ $crd.name }}-failover-config
        - name: xtables-lock
          hostPath:
            path: /run/xtables.lock
            type: FileOrCreate
      containers:
      - image: {{ include "helm_lib_module_image" (list $context "proxyFailover") }}
        name: controller
        env:
        - name: CONTROLLER_NAME
          value: {{ $crd.name }}
        livenessProbe:
          httpGet:
            path: /status
            port: 10255
            host: 127.0.0.1
          initialDelaySeconds: 3
        readinessProbe:
          httpGet:
            path: /status
            port: 10255
            host: 127.0.0.1
          initialDelaySeconds: 3
        resources:
          requests:
            {{- include "helm_lib_module_ephemeral_storage_only_logs" $context | nindent 12 }}
            memory: 500Mi
            cpu: 350m
        {{ include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . | nindent 8 }}
          capabilities:
            add:
            - NET_RAW
            - NET_ADMIN
            - NET_BIND_SERVICE
        volumeMounts:
          - name: additional-config
            mountPath: "/opt/nginx-static/additional-conf"
            readOnly: true
      - image: {{ include "helm_lib_module_image" (list $context "proxyFailoverIptables") }}
        name: iptables-loop
        resources:
          requests:
           {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 12 }}
            memory: 20Mi
            cpu: 10m
        securityContext:
          # containers messing with iptables and iptables-wrapper have to be run as root because iptables-legacy binary requires to be run as root (setsuid isn't an option).
          runAsNonRoot: false
          capabilities:
            add:
            - NET_RAW
            - NET_ADMIN
        volumeMounts:
          - mountPath: /run/xtables.lock
            name: xtables-lock
            readOnly: false
      - name: nginx-exporter
        image: {{ include "helm_lib_module_image" (list $context "nginxExporter") }}
        args:
        - "-web.listen-address=127.0.0.1:10354"
        - "-nginx.scrape-uri=http://127.0.0.1:10253/nginx_status"
        - "-nginx.ssl-verify=false"
        - "-nginx.retries=10"
        - "-nginx.retry-interval=6s"
        livenessProbe:
          httpGet:
            path: /metrics
            port: 10354
            host: 127.0.0.1
        resources:
          requests:
            {{- include "helm_lib_module_ephemeral_storage_only_logs" $context | nindent 12 }}
            memory: 20Mi
            cpu: 10m
        {{ include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . | nindent 8 }}
      - name: kube-rbac-proxy
        image: {{ include "helm_lib_module_common_image" (list $context "kubeRbacProxy") }}
        args:
        - "--secure-listen-address=$(KUBE_RBAC_PROXY_LISTEN_ADDRESS):10355"
        - "--v=2"
        - "--logtostderr=true"
        - "--stale-cache-interval=1h30m"
        env:
        - name: KUBE_RBAC_PROXY_LISTEN_ADDRESS
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        - name: KUBE_RBAC_PROXY_CONFIG
          value: |
            upstreams:
            - upstream: http://127.0.0.1:10354/metrics
              path: /metrics
              authorization:
                resourceAttributes:
                  namespace: d8-ingress-nginx
                  apiGroup: apps
                  apiVersion: v1
                  resource: daemonsets
                  subresource: prometheus-metrics
                  name: proxy-failover
        ports:
        - containerPort: 10355
          name: https-metrics
        resources:
          requests:
            {{- include "helm_lib_module_ephemeral_storage_only_logs" $context | nindent 12 }}
            memory: 20Mi
            cpu: 10m
      imagePullSecrets:
      - name: deckhouse-registry
  {{- end }}
{{- end }}
